Lock Version 9

Lock: Refresh tokens

Mostly when building mobile apps, we want to show the signin page only once and then leave the user logged in forever. For those cases, it makes sense to have a refreshToken. A refreshToken lets us get a new id_token (JWT) anytime we want.

Warning: This means that if the refreshToken gets compromised, unless we revoke that token, somebody would be able to get a new JWT forever.

1. Getting the Refresh Token

In order to be able to get the refresh token, all we need to do is add the scope offline_access when calling the showSignin or showSignup method. Optionally, we can specify a device name so that the user knows which device has a Refresh Token created. If not set, it'll be automatically calculated for you.